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TRAFFIC MONITOR PROCEDURE 



START J 



S101 



THREAD IS DIVIDED 



8102 



PACKETS ARE CAPTURED 



SI 03 



EXECUTION OF THREAD IS 
SLEPT FOR A SPECIFIC TIME 



SI 04 



PACKETS ARE CALCULATED USING 
CONNECTING ID. TIME RANGE, Src IP, 
Dist IP. Dist Port AS A KEY 



SI 05 



DATA IS STORED IN THE 
TRAFFIC DB 



F I G. 5 



UNAUTHORIZEa> ACCESS PREVENTION. . . 3/1/04 
Tamura et al . . , _ . 

Greer, Bums & Crain, Ltd. (Patrick Bums) 
Re£. No. 1503.69885 

sSoet 6 of 15 (312) 360 0080 



Count 


1456 


35724 


169043 


St Port 


O 
OO 


O 
OO 


CD 
OO 












CO 

to 


oo 

CO 


oo 

CO 




Csl 


o 

CNJ 


o 

CVJ 


Dist 


202. 248. 


202. 248. 


202. 248. 




LO 


CVJ 






o 

CVJ 


o 

CM 


LO 


Src 


CO 
CsJ 


od 

CM 


34.1 




csi 
<3 

CM 


cvi 

CM 


O 


RANGE 


-10:10 


-10:10 


-10:10 


ME 


o 
o 


o 


O 




o 


o 


o 










CONNECTING 


ABC01234 


NBC56780 


AS245 



- 

* UNJIUTHORIZED ACCESS PREVENTION... 3/1/04 

Tamura et al. 

Greer, Burns & Grain, Ltd. (Pat:rick Burns) 
Re£. No. 1503.69885 

Sheet 7 of 15 (312) 360 0080 j 



UNAUTHORIZED ACCESS NOTIFICATION PROCEDURE 



START J 





^8201 


UNAUTHORIZED ACCESS EVENT IS CHECKED 




h i 
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DATA MEMBER 


EXAMPLE 1 


EXAMPLE 2 


DETECTING ID 


00-00-0E-82-2E-74-0001 


00-00-0E-82-2E-74-0002 


TIME RANGE START (GMT) 


2003/2/1 16:01:16 


2003/2/17 11:31:11 


TIME RANGE END (GMT) 


2003/2/1 16:11:16 


2003/2/17 11:41:11 , 


ATTACK CATEGORY 


TCP Syn Flood 


Worm 


ORGANIZATION NAME 


Company A 


Company B 


BELONGING ISP 


ISP ABC 


ISP XYZ 


TARGET PROTOCOL 


TCP 


UDP 


Src IP 


10.4. 120. Z 


169. 0. 255. C 


Dist IP 


192. 168. X. Y 


164. 71. A. B 


Dist Port 


80 


1434 


NUMBER OF UNAUTHORIZED 
PACKETS 


156789 


876534 


ATTACK TOOL NAME 


TFN2K 


SQL 
S 1 ammer 


COUNTERMEASURE 
CANCELLATION POLICY 


10 MINUTES 


20 Ml MUTES 
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UNAUTHORIZED ACCESS COUNTERMEASURE 
IMPLEMENTATION PLACE DETERMINATION PROCEDURE 











START ^ 



LIST OF EDGE ROUTERS IS OBTAINED 



S321 



EDGE ROUTERS HAVING A TRAFFIC DB THAT COMPLIES WITH 
TIME RANGE. Src IP. Dist IP, AND Dist Port INCLUDED 
IN UNAUTHORIZED ACCESS NOTIFICATION ARE EXTRACTED 



CONNECTING ID IS OBTAINED FROM STORED DATA 
IN THE TRAFFIC DB FOR THE TRANSIENTLY-CONNECTED 
EDGE ROUTER AMONG EDGE ROUTERS THAT ARE LEFT 
IN THE LIST OF EDGE ROUTERS 



S323 



OPERATION MANAGEMENT SYSTEM CHECKS WHETHER CONNECTING 
ID IS IN USE AT PRESENT. AND IF CONNECTING ID IS USE. 
THE TRANSIENTLY-CONNECTED EDGE ROUTER IS EXTRACTED 



EDGE ROUTERS THAT ARE LEFT IN THE LIST ARE CLASSIFIED 
INTO THOSE FOR THE COUNTERMEASURE TO BE IMPLEMENTED IN 
A USER'S ORGANIZATION AND THOSE FOR THE COUNTERMEASURE 
TO BE ENTRUSTED TO ANOTHER ORGANIZATION 
•WHEN COUNTERMEASURE IS IMPLEMENTED IN A USER'S 

ORGANIZATION. THE EDGE ROUTER IS 

A TRANSIENTLY-CONNECTED EDGE ROUTER OR AN ISP EDGE 

ROUTER HAVING NO RELIABLE WITH AN ADJACENT ISP 
•WHEN COUNTERNEASURE IS ENTRUSTED TO ANOTHER 

ORGANIZATION. THE EDGE ROUTER IS 

AN ISP EDGE ROUTER HAVING A RELIABLE RELATIONSHIP 

WITH AN ADJACENT ISP 



S325 



RETURN ^ 
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INTER-ORGAN I XAT I ONAL ATTESTATION PROPCEDURE 



START ^ 
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^S331 


SERVER 


IS ATTESTED 
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^S332 


CLIENT 


IS ATTESTED 
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RETURN ^ 
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INTER-ORGANIZATIONAL POLICY EXCHANGE PROCEDURE 



START ^ 



S341 



ENCRYPTION ALGORITHM IS EXCHANGED SO THAT 
A COMMON ALGORITHM IS EMPLOYED BETWEEN 
REQUESTER AND REQUEST DESTINATION SIDE 



S342 



COUNTERMEASURE CANCELLATION TIME THRESHOLD 
VALUE IS EXCHANGED BETWEEN REQUESTER AND 
REQUEST DESTIMATION SIDE. AND A SHORTER 
COUNTERMEASURE CANCELLATION TIME IS EMPLOUED 



S343 



TIME ZONE IS EXCHANGED BETWEEN REQUESTER 
AND REQUEST DESTIMATION SIDE 



~T~ 

RETURN ^ 
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UNAUTHORIZES ACCESS COUNTERMEASURE 
RECORDING PROCEDURE 



START ^ 



S501 



LOG REQUEST IS TAKEN OUT 



i ^ 

TIME. ACTION, DERECTING ID, TIME RANGE, 
Src IP, Dist IP. Dist Port. NUMBER OF 
UNAUTHORIZED PACKETS, ATTACK CATEGORY 
ARE RECORDED IN THE LOG 



S502 



ACTION: COUNTERMEASUER IMPLEMENTATION. COUNTERMEASURE TRANSFER, 
COUNTERMEASURE SUSPENSION. COUNTERMEASURE CANCELLATION 



FIG. 14 
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FIG. 15 



